Bulletproof Hosting Providers Abuse ISPsystem VM Templates to Support Ransomware Infrastructure
Security researchers at Sophos have identified widespread abuse of virtual machines provisioned through ISPsystem’s VMmanager platform, with bulletproof hosting providers supplying preconfigured Windows servers to cybercriminal groups. The activity was uncovered during investigations into WantToCry ransomware incidents, where multiple attacks used virtual machines with identical autogenerated NetBIOS hostnames derived from default ISPsystem templates. Further analysis linked the same hostnames to infrastructure used by major ransomware and malware operations, including LockBit, Qilin, Conti, BlackCat, Ursnif, and multiple infostealer campaigns. Shodan telemetry showed thousands of internet-exposed systems sharing the same hostnames, many hosted by providers previously associated with sanctioned or abuse-tolerant infrastructure. Researchers confirmed that these hostnames originate from default Windows templates that do not randomize system identifiers during deployment, allowing large clusters of malicious infrastructure to blend in with legitimate virtual machines. The investigation suggests that cybercriminals are leveraging legitimate virtualization management platforms as scalable infrastructure for command-and-control, payload staging, and ransomware operations. Bulletproof hosting providers, including services advertised under brands such as MasterRDP, appear to lease ISP-system-provisioned virtual machines to malicious customers while ignoring abuse complaints and takedown requests. Telemetry shows that just four default hostnames account for more than 95 percent of observed internet-facing ISPsystem virtual machines, many of which are tied to known criminal campaigns. Defenders should track known malicious hostname patterns, monitor outbound connections to high-risk hosting providers, and implement network controls that limit RDP or management access to untrusted virtual infrastructure.
APT-Q-27 Linked Intrusion Uses Signed .PIF Dropper and Fileless Backdoor Deployment
CyStack researchers have identified a stealthy, multi-stage intrusion that began when a customer support employee executed a malicious [.]pif file delivered through a Zendesk support ticket. The file was disguised as an image download and digitally signed with a valid certificate at the time of distribution, helping it bypass reputation-based defenses. Once executed, the dropper retrieved additional components from cloud infrastructure and staged them in a directory designed to resemble a legitimate Windows Update cache. The attackers then used DLL sideloading to execute a malicious loader inside a trusted, signed process, decrypting the final backdoor payload directly into memory. The malware established persistence through a fake Windows service, modified UAC settings to reduce prompts, and connected to command-and-control infrastructure consistent with previously documented GoldenEyeDog campaigns. Technical analysis shows the backdoor employs anti-analysis checks, runtime C2 decryption, and a modular plugin-based architecture capable of file operations, keystroke logging, screen capture, and remote command execution. The payload is delivered entirely in memory, significantly reducing its forensic footprint and bypassing many signature-based controls. Infrastructure naming patterns, multi-stage payload delivery, and the use of encrypted log-style containers show notable overlap with activity attributed to APT-Q-27, though attribution cannot be confirmed with certainty. Because the activity may not trigger traditional alerts, early detection depends on behavioral analysis and cross-stage correlation. Defenders should implement behavior-based endpoint monitoring, hunt for DLL sideloading and suspicious service creation, and monitor for abnormal outbound connections to unknown command-and-control infrastructure.
Screensaver-Based Spearphishing Campaign Deploys RMM Agents for Persistent Remote Access
ReliaQuest has identified a spearphishing campaign that uses Windows screensaver ([.]scr) files to silently deploy legitimate remote monitoring and management (RMM) tools for persistent access. The attack begins with business-themed phishing emails directing users to cloud-hosted downloads disguised as routine documents, such as invoices or project files. When the victim executes the [.]scr file, it installs an unauthorized yet legitimate RMM agent, enabling attackers to gain interactive remote control that blends into normal IT activity. Because RMM tools are widely trusted and communicate over encrypted channels, installations often bypass traditional malware detection and give attackers a foothold for credential theft, lateral movement, or ransomware deployment. The campaign has been observed across multiple environments and is easily adaptable by swapping hosting providers or RMM products. The intrusion model reflects a broader trend toward “living-off-the-land” techniques, where attackers rely on legitimate software rather than custom malware to evade detection. Once installed, the RMM agent provides durable, unattended access that survives reboots and allows adversaries to operate inside the network under the guise of routine administrative activity. This approach reduces reliance on attacker-controlled infrastructure and complicates containment, as the traffic and tooling appear legitimate. The technique is also highly scalable, combining low-friction initial access with trusted cloud services and overlooked executable formats. Similar campaigns have previously used screensavers or RMM abuse to establish persistent footholds before ransomware deployment. Defenders should implement strict allowlists for approved RMM tools, monitor for unexpected agent installations or new services, and alert on outbound connections to unsanctioned remote management infrastructure.
Top CVEs of the Week
Top CVEs of the Week - As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
